Among the many troubling findings of a report from the Office of the State Auditor on the administration of the state medical marijuana regulatory system is that confidential information about medical marijuana patients has and is being shared, possibly unconstitutionally, with other state agencies, private contractors and law-enforcement agencies.

Using the report’s findings, two advocacy groups, the Cannabis Therapy Institute and the Patient and Caregiver Rights Litigation Project, filed an emergency rules petition to the state Board of Health seeking to stop law enforcement from gaining direct access to the registry. The groups were hoping that the issue would be taken up at a Board of Health meeting in Denver on Wednesday. The state’s response wasn’t available at press time.

The implications are especially problematic for the more than 200,000 current or past Colorado medical marijuana patients and their caregivers on the registry, all citizens who signed up with the expectation that their information would be securely held by the Colorado Department of Public Health and Environment (CDPHE), the state’s administrator of the registry. Marijuana patients can face discrimination in many areas, including employment, housing, benefits, child custody, insurance and especially in interactions with law enforcement, and security of the registry is critical to that end.

The state constitution itself is clear about the registry, which was mandated by Amendment 20 in 2001. “The state health agency shall create and maintain a confidential registry of patients who have applied for and are entitled to receive a registry identification card.” It’s a simple idea to protect the security of patient records. The key word is “confidential.”

Until the audit came out in June, it was assumed the registry was located in a locked room on a single computer with only one backup disc and limited access by public health officials. It was not available on the Internet. Law enforcement could only receive information from the registry after someone who was stopped or arrested presented a Registry ID card. All law-enforcement inquiries were handled by telephone, and only “one or two requests a week” from law enforcement came after normal business hours.

The state auditor found out that state agencies and outside contractors working for public health during the period since 2009, when medical marijuana applications multiplied significantly, also had access to the registry, many apparently without even requiring a confidentiality agreement. Hundreds of people had access, with few, if any, safeguards on how the information might be used.

The audit found 15 reported breach incidents during the approximately one-year time period of the investigation, and that 5,400 caregiver names were “inappropriately provided to the State Auditor” at one point. Caregivers weren’t even informed that their information had been mistakenly leaked.

Even more disturbing, the audit found that the CDPHE, beginning in April of this year, “implemented an automated interface between the Registry and the Colorado Crime Information Center (CCIC), a statewide computer system that delivers criminal justice information to law enforcement agencies. Using the interface, law enforcement officers can query a patient’s name, date of birth, and red card serial number to determine if a patient’s card is valid. If the patient has a record in the Registry, the interface generates a response that includes the patient’s red card issuance and expiration dates, as well as the number of marijuana plants and ounces of medical marijuana that a physician recommended for the patient’s medicinal use.”

The report adds, “It is not clear that Public Health has constitutional authority to provide information about patient plant and ounce counts through the Registry-CCIC interface.” Law enforcement will probably argue that it needs access after hours, but since it can’t get the number of plants in a telephone query to Public Health, why should it be part of the information gathered on police computers? Wouldn’t it be easier, more secure and less expensive to just hire a person after-hours to provide the information rather than making a private database available online to anybody in law enforcement?

The audit also found that the Crime Information Center records every inquiry it makes, as well as the provided response, and those queries are maintained for at least five years and can only be accessed from CBI. So registry information is being kept in a “parallel database,” with little oversight and no transparency.

If any of the findings of the audit are true, CDPHE and law enforcement have some explaining to do. Who would be inclined to apply for a medical marijuana card if he or she knew that personal information was being collected by law enforcement? With the passage of Amendment 64 last year, will medical cannabis patients be pushed to retail stores once they open? Will medical operations be pushed to move to retail, even though each is governed by completely different rules and regulations?

And, once cannabis becomes available as a retail product to anyone with a valid driver’s license, will the state build a database of all cannabis users to share with law enforcement?